Computer and Information ScienceCIS 607Fundamental Concepts 13 October 2010Prof. ButlerWednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsAnnouncements•Reminder: paper presentation preferences‣I’m going to make assignments tonight or tomorrow night, contingent on the number of students & papers‣Next week: Multics evaluation•Presentation should cover both papers (second is a retrospective of the first)•Mailing list: Primary communication channel (in conjunction with the website)‣Email or see me if you haven’t received anything•Background document‣If I don’t receive this I’ll assume you’re not taking class for credit2Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsLast Time•Course mechanics•Introduction to security terminology•Thompson paper‣W32/Induc-A isactual malware based onthis approach3http://www.sophos.com/blogs/sophoslabs/v/post/6117Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsRecap: Computer Security•What does it mean for a computer to be secure?•“A computer is secure if you can depend on it and its software to behave as you expect.”‣Garfinkel, Spafford, and Schwartz (2003)•Expected by whom? Under what circumstances?4Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsEnsuring Dependability•Q: How can you depend on the system doing what you want it to do?•A: Need to have some evidence that it’s doing things the right way•Q: How can we actually obtain this evidence?•A: Have a mechanism that oversees all sensitive operations within the system5Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsReference Monitor•James Anderson, 1972 USAF technical report ‣Recognized the inadequacy of existing systems in their abilities to withstand attacks against HW & SW‣Designers generally only considered benign environments where violations were presumed to be accidental‣“Unless security is designed into a system from its inception, there is little chance that it can be made secure by retrofit.”‣“Lacking a set of principles adhered to strongly in the design of a system, one finds that there is no way to determine when a secure system has been achieved”6Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsReference Monitor Concept•Enforce access relationships between subject and objects of a system•Reference validation mechanism: validates each reference to data or programs by any user against a list of authorized types as defined by an access matrix7Systems and Internet Infrastructure Security (SIIS) Laboratory! Page!16!Reference Monitor!•! Components"!! Reference monitor interface (e.g., LSM)"!! Authorization module (e.g., SELinux)"!! Policy store (e.g., policy binary) "Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsReference Monitor Guarantees•Complete Mediation‣The reference validation mechanism must always be invoked•Tamperproofness‣The reference validation mechanism must be tamperproof‣What does this mean?•Verifiability‣The reference validation mechanism must be subject to analysis and tests, the completeness of which must be assured8Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsComplete Mediation•Every security-sensitive operation must be mediated (i.e., the reference monitor must always be invoked)‣Q: What does it mean for an operation to be security-sensitive?‣A: an operation that enables a subject with a certain set of permissions to access an object with a different permission set•How can we complete mediation be validated?‣Identify every operation and determine if the interface mediates correctly‣Enough to look at system calls?9Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsTamperproofness•Protect reference monitor against modification by untrusted entities•Only operations within the trusted computing base can modify the reference monitor•What needs to be protected?‣physical vs logical‣interface, mechanism, policy‣any code and policy that can potentially modify the reference monitor10Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsVerifiability•Must be able to test and analyze the reference validation mechanism•How can this be done?‣Verify the code: how can you ensure correctness?‣Verify the policy enforced: same question as above•What does it mean for the code base to be correct?11Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsReference Monitor Examples•In-kernel mechanisms‣security kernels contained in Scomp, GEMSOS‣Windows NT kernel contains “security reference monitor”•NT itself is heavily based on VAX VMS kernel‣Linux Security Modules (LSM)‣Security Enhanced Linux (SELinux)‣Trusted Solaris12Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsSecurity Policy•Reference monitor gives a mechanism for enforcing security policy•What are we trying to enforce?•Important security goal: separate policy from mechanism•What do we need to be able to trust?•Trusted Computing Base: the hardware and software in a system that is critical to the system’s secure operation‣The larger the TCB, the larger the attack surface13Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsProtection•Reason for policy: to protect the resources of our system•How is protection maintained?‣memory, storage, virtual machines‣memory segmentation‣file-system permissions‣labels in mandatory access control systems•The protection state of a system describes the set of operations that subjects are able to perform on objects within the system14Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsRationale for Protection•What are we protecting against?‣Threats to...‣confidentiality (reading data from a process without permission)‣integrity (overwriting or deleting data from a process without permission)‣availability (denial of service, exceeding quota limits) •What are we protecting?‣subjects: active entities that perform actions‣objects: passive entities that have actions performed on them‣rights: actions that are taken15Wednesday, October 13, 2010CIS 607: Security in Systems, Storage, and CloudsAccess Matrix•A means of representing policy & protection